[Oisf-users] Problems running Suricata 3.1.1 under FreeBSD 10.3

C. L. Martinez carlopmart at gmail.com
Wed Jul 27 13:38:37 UTC 2016 

Hi all,

 When I try to start suricata with these options: "--pcap -v -k none -D" under a FreeBSD 10.3 host (amd64, fully patched), the following errors appears:

27/7/2016 -- 13:29:53 - <Notice> - This is Suricata version 3.1.1 RELEASE
27/7/2016 -- 13:29:53 - <Info> - CPUs/cores online: 1
27/7/2016 -- 13:29:53 - <Info> - Found an MTU of 1500 for 'vtnet0'
27/7/2016 -- 13:29:53 - <Info> - Found an MTU of 1500 for 'vtnet3'
27/7/2016 -- 13:29:53 - <Info> - Found an MTU of 1500 for 'vtnet5'
27/7/2016 -- 13:29:53 - <Info> - Max dump is 0
27/7/2016 -- 13:29:53 - <Info> - Core dump setting attempted is 0
27/7/2016 -- 13:29:53 - <Info> - Core dump size set to 0
27/7/2016 -- 13:29:53 - <Info> - 3 rule files processed. 35 rules successfully loaded, 0 rules failed
27/7/2016 -- 13:29:53 - <Info> - 35 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 35 inspect application layer, 0 are decoder event only
27/7/2016 -- 13:29:53 - <Info> - Threshold config parsed: 0 rule(s) found
27/7/2016 -- 13:29:53 - <Info> - fast output device (regular) initialized: fast.log
27/7/2016 -- 13:29:53 - <Info> - stats output device (regular) initialized: stats.log
27/7/2016 -- 13:29:53 - <Info> - Going to use 1 thread(s)
27/7/2016 -- 13:29:53 - <Info> - using interface
27/7/2016 -- 13:29:53 - <Error> - [ERRCODE: SC_ERR_PCAP_ACTIVATE_HANDLE(27)] - Couldn't activate the pcap handler, error BIOCSETIF failed: Device not configured
27/7/2016 -- 13:29:53 - <Info> - Going to use 1 thread(s)
27/7/2016 -- 13:29:53 - <Info> - using interface vtnet0
27/7/2016 -- 13:29:53 - <Info> - Found an MTU of 1500 for 'vtnet0'
27/7/2016 -- 13:29:53 - <Info> - Set snaplen to 1524 for 'vtnet0'
27/7/2016 -- 13:29:53 - <Info> - Going to use 1 thread(s)
27/7/2016 -- 13:29:53 - <Info> - using interface vtnet3
27/7/2016 -- 13:29:53 - <Info> - Found an MTU of 1500 for 'vtnet3'
27/7/2016 -- 13:29:53 - <Info> - Set snaplen to 1524 for 'vtnet3'
27/7/2016 -- 13:29:53 - <Info> - Going to use 1 thread(s)
27/7/2016 -- 13:29:54 - <Info> - using interface vtnet5
27/7/2016 -- 13:29:54 - <Info> - Found an MTU of 1500 for 'vtnet5'
27/7/2016 -- 13:29:54 - <Info> - Set snaplen to 1524 for 'vtnet5'
27/7/2016 -- 13:29:54 - <Info> - RunModeIdsPcapWorkers initialised
27/7/2016 -- 13:29:54 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "W#01-" closed on initialization.
27/7/2016 -- 13:29:54 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting...

 I have configured pcap's options in suricata.yaml:

# Cross platform libpcap capture support
pcap:
  - interface: vtnet0
    # On Linux, pcap will try to use mmaped capture and will use buffer-size
    # as total of memory used by the ring. So set this to something bigger
    # than 1% of your bandwidth.
    #buffer-size: 16777216
    #bpf-filter: "tcp and port 25"
    # Choose checksum verification mode for the interface. At the moment
    # of the capture, some packets may be with an invalid checksum due to
    # offloading to the network card of the checksum computation.
    # Possible values are:
    #  - yes: checksum validation is forced
    #  - no: checksum validation is disabled
    #  - auto: suricata uses a statistical approach to detect when
    #  checksum off-loading is used. (default)
    # Warning: 'checksum-validation' must be set to yes to have any validation
    #checksum-checks: no
    # With some accelerator cards using a modified libpcap (like myricom), you
    # may want to have the same number of capture threads as the number of capture
    # rings. In this case, set up the threads variable to N to start N threads
    # listening on the same interface.
    #threads: 16
    # set to no to disable promiscuous mode:
    #promisc: no
    # set snaplen, if not set it defaults to MTU if MTU can be known
    # via ioctl call and to full capture if not.
    #snaplen: 1518
  - interface: vtnet3
  - interface: vtnet5
  # Put default values here
  - interface: default
    checksum-checks: no


 .. And running with thes other switches: "--pcap=vtnet0 --pcap=vtnet3 --pcap=vtnet5 -v -k none -D", all works ok. Any idea why?? Maybe the problem is to try to run suricata with multiple interfaces??

Thanks.

-- 
Greetings,
C. L. Martinez

More information about the Oisf-users mailing list